Transcription

1

2

3 Miami-Dade County Public Schools Network Security Standards - Administrative Summary 1.0 Data Classification and Security Objectives Miami-Dade County Public Schools (M-DCPS) realizes that information is a valuable asset and must be protected from unauthorized destruction, access, modification, disclosure, loss, theft, or removal. These standards, in conjunction with appropriate state and federal statutes, will serve as a foundation for the protection of M-DCPS data. All security measures must conform to established M-DCPS policies and applicable federal, state, and local laws. Sections 1.0, 1.1, 1.2, 1.3, 2.0, and 2.1 provide the basis of a data classification policy by laying out scope, risks, and goals. In addition, Sections 5.0 and 5.1 lay out specific user responsibilities regarding the protection of District data and should also be viewed as part of the District data classification policy. Sections 3.0, 4.0, 4.1, and 4.2 provide a detailed technical roadmap to achieve these objectives, while sections 6.0 and 6.1 discuss changes to these standards. 1.1 Overview M-DCPS has for many years relied on computers and data processing facilities to store and manipulate vast amounts of data. That data includes, but is not limited to, student records, personnel records, business, and accounting records. The explosion of networks and Internet related informational activities means that this sensitive data is more conveniently available to authorized staff in ways undreamed of even a few years ago but is also at risk. M-DCPS must address the issue of the security of this data in such a way that all avenues of access are strictly controlled and that the privacy and value of the data are not compromised. The Office of Management and Compliance Audits (OMCA), in concert with Information Technology Services (ITS), reserves the right to audit M-DCPS locations for compliance with these Security Standards. 1.2 Risks to M-DCPS Any breach of data security could be costly to school system staff, users, and students as well as the school system itself. Moreover, any number of individuals/agencies could improperly benefit from M-DCPS data. The following is a list of some of the technical risks: Altered data Stolen and intercepted data Data rendered inaccurately

4 Destroyed data Loss of M-DCPS ability to process data The following is a list of some of the business risks to M-DCPS: Lawsuits for not protecting sensitive data Loss of funding (for example, FTE) due to the transmission of incorrect data to other agencies Unfair penalty or advantage to students due to the transmission of incorrect data (for example, incorrect transcripts resulting in unfair penalty or advantage to students applying for college and/or scholarships) Loss of negotiating or advantage by unauthorized disclosure of lists and other business assets to vendors Liability for incorrect data (including State and Federal penalties) Errors in business decisions due to inaccurate data Negative publicity surrounding the use of incorrect data and subsequent regulatory enforcement Inability to process business transactions in a timely fashion or not at all Sensitive data is defined as any data that should only be viewed by authorized personnel. Data sensitivity is determined by, but not limited to, federal and state laws (including privacy acts), M-DCPS Board Policies, and decisions by senior staff and/or the data owners (see section 2.1 of this document). 1.3 Background of M-DCPS Data Security Historically, almost all M-DCPS data was kept on the M-DCPS mainframe at ITS and access was strictly controlled through the use of the mainframe IBM OS/390 Security Server 1 (RACF). As long as valuable data is kept on the mainframe, this accepted triedand-true method of protection will continue to be the mainstay of our mainframe security efforts. Moreover, it provides a model hierarchical protection scheme, which can be used in an expanded network security paradigm. This includes the delegation of local authorization duties to an approved supervisor at the site. Approved supervisors include school principals and department heads. 2.0 Scope In this document, authorized staff will hereafter be defined as all M-DCPS employees, consultants, vendors, auditors, students, temporary help, volunteers, and others authorized by M-DCPS to use the specific M-DCPS computer systems, applications, and information required for the performance of their job or function. These specific Page 2 of 2

5 functions are determined and/or approved by the site supervisor. Modification of authorizations without the site administrator s approval is prohibited. The following is a list of some of the individuals/resources the Network Security Standards apply to: All authorized staff, volunteers, students, and vendors as well as unauthorized parties seeking access to M-DCPS computer resources All M-DCPS mainframes, minicomputers, personal computers, outside timesharing services, outside suppliers of data, network systems, wireless devices, M-DCPS-licensed software, switches, routers, hubs, wireless devices, and computer workstations All M-DCPS data and reports derived from these facilities All programs developed on M-DCPS time or using company equipment All terminals, communication lines, and associated equipment on M-DCPS premises or connected to M-DCPS computers over physical or virtual links Any equipment not owned by M-DCPS but connected to the M-DCPS network. All M-DCPS staff and authorized non-staff must be aware of the risks and act in the best interest of M-DCPS. These standards detail staff s responsibilities for computer security. Unauthorized persons who attempt to use M-DCPS computer resources will be prosecuted to the fullest extent possible. 2.1 Owners of Data All computer files and data are to be associated with a user. In general, unless otherwise specified, the head of the department who requested the creation of the files and programs that store and manipulate the data on the computer is the owner of the data. The owner is responsible for specifying whether the data is sensitive and which user-ids will be authorized to access it, or who will be responsible for giving such authorization. 3.0 Physical Security Adequate building security (both physical and environmental) must be provided for the protection of all physical and logical M-DCPS computer assets and especially sensitive applications and data. Security includes, but is not limited to, lockable doors and windows, limited access, protection from water, fire, and the elements, alarms, access controls, and surveillance devices such as cameras and monitors. Site supervisors must protect all hardware and software assigned to their location. Administrative computers must be segregated from classroom computers. Students and unauthorized personnel should never have access to administrative machines. Page 3 of 3

6 4.0 Non-Mainframe System Security Non-mainframe systems (Local Area Network (LAN) and Wide Area Network (WAN)) must have the same protection methodology in place as do mainframes to ensure M- DCPS computer assets are secure. Programmatic methods are to be used to control access to non-mainframe resources. These methods include defining specific users or groups to specific system resources, and use of the least privilege concept for access to all system-level resources such as the operating system, utilities, and databases. Least privilege is defined as a default of no access to these resources and the requirement of explicit permission and authorization by the owner based on need. Non-Mainframe systems must be provided with: 1. Auditing/logging of such security-relevant information as log-on information, resource access, and TCP/IP addresses whenever possible. 2. Security modifications and system administrator events. 3. Ability to audit /log specific users and resources on demand. 4. Ability to send specific security sensitive events directly to a specified administrator s workstation, terminal, or , preferably with an audible alarm. 4.1 M-DCPS Network Systems Security Network systems include any local area network (LAN) 2, wide-area network (WAN) 3, dial-up, Internet, servers, server connections, switches, hubs, routers, lines, software, and data that are outside the M-DCPS mainframe system. The security must include both physical and logical layers of protection. As M-DCPS moves from storing and transferring sensitive information used within the M-DCPS in a closed network architecture utilizing private and/or leased lines to an open network architecture using Internet and TCP/IP network 4, employees must pay particular attention to the security of these assets Network Structure, Hierarchy, and Requirements 1. As a statement of direction, all administrative PC-type servers in M-DCPS should migrate to the Windows 2003 (or above) operating system. Microsoft no longer supports Windows NT or Windows 2000 and will not provide fixes or reports for vulnerabilities, including any new ones found. No Windows NT servers are to be connected to the network and every effort must be made to remove Windows 2000 servers currently connected. Since these Operating Systems (OS) are unsupported, there is no anti-virus or patching available for them and they are therefore unprotected. Sensitive data should be moved to a server with a higher level OS. Applications should be updated to work on and be moved to a higher level OS if at all possible. If an updated version is not available vendors must be notified that Page 4 of 4

7 they must provide an updated version of the application as soon as possible. All servers still using Microsoft Windows NT must be migrated to a Windows 2003 or above server platform immediately or disconnected from the network. Administrators of servers currently using Novell, or any other PC network operating system should also strongly consider migrating to Windows 2003 or above Server. Desktops and laptops connected to the network should similarly be migrated to Windows XP SP3 or above to take advantage of higher levels of security. 2. The District employs Active Directory Services (ADS), a hierarchical process similar to a pyramid. Information Technology Services has established and maintains the root ADS (the top of the pyramid) for M- DCPS and determines local and group policy settings. In Microsoft terms, this structure is best described as a forest. All other District servers will be added to the ITS established Active Directory forest. 3. Below the root in the forest are Organizational Units (OUs) that are the school and administrative sites in the District. These local OUs are simply smaller networks with their own Domain Controllers (DC) that connect to the M-DCPS network. These DCs are under ITS authority and are not to be managed in any way by the local OU administrators. Local OU administrators must strictly limit access to their OU from other OUs as well as the outside. ITS must have Enterprise Administrator rights to all OUs in the District forest. ITS must provide advanced notification of group policy changes. 4. Computers with Windows 9x or earlier are prohibited from being connected to any M-DCPS network. The security features of this level of OS are extremely primitive and leave user accounts vulnerable to a variety of risks, including unencrypted caching of user-ids and passwords. As stated previously in this document, all Windows computer OS must be Windows XP SP3 or above. This level OS provides protection from the various strains of worms, which propagate rapidly through networks via computers with a lower level OS. Although Windows 2000 workstations employ a better security paradigm than Windows 9x, they are no longer supported by Microsoft and should be replaced and/or removed from the network as soon as possible, as described in preceding sections. 5. All locations must migrate from the original school and District networks to the dadeschools network. Most of these are old networks with weak security and must be removed from production immediately. 6. M-DCPS Board Policies/directives/standards regarding the following topics must be read and followed at all times: M-DCPS Acceptable Use Policy of the Network/Internet for staff M-DCPS Acceptable Use Policy of the Network/Internet for students Page 5 of 5

8 M-DCPS Board Policy regarding Copyright M-DCPS Board Policy regarding staff use of District systems M-DCPS Board Policy regarding student use of District systems The Office of Management and Compliance Audits (OMCA) web site, which includes the School IT Audit Assessment 7. Each department or school must maintain a disaster contingency plan to provide for recovery of data in case of catastrophic loss. At minimum, all M- DCPS data must be backed-up once a week and all mission-critical data must be backed-up daily. Data on the backup media will be verified as usable. 8. Administrative computers are defined as non-classroom computers on which M-DCPS requisition and business functions, exempt student academic and demographic data, staff directives, staff tasks, etc. are stored and/or viewed. These computers should be kept physically and virtually separate from instructional computers. Students are not to have access, either physical or virtual, to production servers or any administrative computers. 9. Every effort should be made to secure classroom machines on which student testing, test grading and evaluation, grade book activities, and staff functions are carried out. This includes: a. installing application passwords and timeouts, b. up-to-date anti-virus software, c. separate computers for teacher use only, d. the most current version of the District s patch- management software to ensure the computer has the most recent software and operating system security patches, e. installation of anti-spyware applications when available, f. possible storage of grade and test data on removable (encrypted) media, and g. limiting unsupervised student access as much as possible - individual student accounts or common student accounts (STUDENT01) should be separate from teacher accounts. Page 6 of 6

9 10. All administrative computers and server consoles that are used to access or control sensitive data must have a screen saver timeout and password after a specific period of inactivity or some other lockout mechanism to prevent unauthorized persons from accessing the data via the logged-in user s account. The Windows timeout with password is available even if the specific application does not have one. Users should also be in the habit of locking their computer or logging off when they are finished or leaving the computer unattended, even for a brief time (See section in this document). These computers may also have boot-up passwords. The timeout may be temporarily turned off by the local admin when the computer is to be used for presentations or other instructional activities but must be turned back on when the activity has been completed. 11. Classroom computers are defined as computers used by students or servers that connect instructional computers. There are to be no administrative applications, especially mainframe sessions, installed on any of these computers or servers. 12. Outside access to M-DCPS networks should only be through hardened Web servers. This means that Web servers should have no other applications running on them and should not connect easily to the rest of the M-DCPS network. Information on Web pages must be kept as current as possible. 13. Access to critical resources should be managed by assigning individuals to a group. The group should be set up with the authority necessary to do the specific job/task or access specific data. This will provide management with a more efficient method to remove access authority when a user no longer is responsible for performing the task. Group membership should be reviewed on a regular basis to ensure all members are appropriate. Under no circumstances should users be assigned data folder or application rights as an individual, except for home folders. 14. Locations maintaining their own network components must keep diagrammed documentation indicating how the network is physically configured (i.e., location of servers, switches, routers, etc.). 15. All software that restricts, prevents or inhibits updates sent by ITS, including, but not limited to Deep Freeze, Fortress, Clean Slate, HD Guard, and others of this type are not to be installed without written permission from ITS. 16. No form of Wake On Lan (WOL) tool should be used to automatically turn on computers unless it is for immediate maintenance purposes, such as imaging or to allow monthly updates to be sent. The use of this type of a tool undermines the purpose and effect of the new Power Management Program, which is a District-wide initiative that will save millions of dollars and help reduce emissions (See ). In addition, local power management settings on PCs should only be altered by ITS. Page 7 of 7

10 4.1.2 Data Access, Transfer and Communication 1. Firewalls are servers that function as a barrier preventing unauthorized outside access to the M-DCPS network. Exceptions requiring access from the outside must be documented by filling out ITS's Remote Client Support Agreement IP Entry (FM-6045) (old), or either of the new VPN/Dial-Up Access Request forms (FM-6629, for vendors or employees). ITS will keep firewall audit logs and review them regularly for illicit activity against the firewall. 2. Access to secure mainframe applications via the network requires RACF authorization. 3. Dial-in to the M-DCPS network requires network authorization and access authentication. 4. Accessing District resources using Remote Access Services (RAS) such as Digital Subscriber Line (DSL), dial-in technology with a modem, from external providers may pose a risk to the network and the data. This provides a "back door around network security by giving users a direct connection to a remote server. If remote access is authorized and sensitive/confidential data is to be transmitted, the line must be secured by Virtual Private Network (VPN), Secure Socket Layer (SSL), or some other technology that encrypts the data so that it is never transmitted in clear text. Hackers using sniffer technology often scan transmission lines looking for data they can use. Examples include user-ids and passwords, account numbers and financial information, student data deemed exempt from public release by state law, or Human Resource (HR) data. 5. The use of communications software that provides the ability to remotely "take over" a network connected PC is prohibited unless authorized by ITS. If it is used, it should be strictly controlled by the local administrator and user. It should be turned on only when support is needed (and the user has given permission, if applicable) and immediately turned off once the support has been provided. Certain remote administration tools, like VNC freeware, are unsupported, have known security vulnerabilities, and are removed when found by the District s anti-spyware. ITS recommends district technical staff uses Dameware as a low cost alternative to VNC. 6. Confidential data taken from the District, whether via laptop, jump drive, removable media like a CD or floppy disk, PDA, , FTP, printed report, or any other method, must be encrypted, redacted, or otherwise sterilized so if the content falls in the wrong hands it cannot be misused. Agencies outside the school system s secure cloud that engage in File Transfer Protocol (FTP) 5 operations or transmission with the District in which confidential data is transferred are to be encouraged to utilize an encryption process requiring asymmetrical (public and private) keys, such Page 8 of 8

11 as PGP (Pretty Good Privacy). Transfer of confidential data and any exceptions to the encryption process must be authorized by ITS. 7. Application software that has built-in security functions must have these functions activated when this software involves confidential data. In addition, new software purchased to handle confidential data should have security capabilities as documented in sections 5.1 Userids and Passwords and 4.0 Non-Mainframe System Security. 8. Users should be aware that unprotected folders on the network are prey to many different forms of hacking. It is the responsibility of the local site administrator to ensure that this data is secure. 9. Network Administrators, including ITS staff, are prohibited from viewing or otherwise manipulating user files on the users local drive without the permission of the user or the approval of appropriate administrative, legal or police staff unless there is a critical need to do so. Critical need is defined as faulty system function, virus activity, illicit hacking or Internet activities, pornographic or other offensive material activity, or other violations of District policies. These policies include, but are not limited to, the Network and Internet Acceptable Use Policy, the Staff and Student E- Mail Policies, the Copyright Infringement Policy, the Network Security Standards or any other District policy, Board Policy or directive relating to user conduct. It should be noted that the District policies discuss the lack of privacy in the system at length. 10. Personal or vendor-owned devices such as desktops, laptops, Personal Digital Assistants (PDAs), etc., or portable/removable storage devices/media such as Universal Serial Bus (USB) jump drives should not be connected to any M-DCPS network without network administrator/site supervisor approval. These devices may carry applications, configurations, viruses, etc. that pose a risk to the network or may be used to remove sensitive data from the network. School system technicians may grant approval after, as time permits, certifying the device is not a threat to District networks. Technicians are not required to bring the personal device into compliance unless directed to do so by their supervisor. For more information, see 4.3 Portable Devices. ITS reserves the right to disconnect, modify and/or confiscate any device connected to the District network that does not meet these Standards, is being used inappropriately, is not authorized, or poses a threat to any District data, network, or user. Any personal/vendor-owned device that will connect to the network will be considered unmanaged; these devices must connect to and adhere with the criteria of the Bring Your Own Device (BYOD) network. (See Section 4.4 BYOD Bring Your Own Device below.) 11. Devices like routers, hubs, switches, firewalls, wireless access points, other network devices, modems, whether personally or District owned, should not be installed without prior approval from the site supervisor and ITS. Once approved, ITS technicians are required to bring these devices Page 9 of 9

12 into compliance with these Standards. ITS reserves the right to randomly scan or monitor for the presence of insecure, unauthorized, or corrupted devices connected to M-DCPS networks. The use of rogue networking devices without approval by ITS is prohibited. As mentioned previously, ITS will disconnect, modify and/or confiscate any device not meeting these standards or that is being used inappropriately. 12. Sensitive/confidential data to be accessed via the Internet must be secured during transmission using encryption, 128 bit or higher if possible. This is most commonly done using SSL certificates which may be purchased from recognized certificate authorities on the Internet (See item 4, section Data Access, Transfer and Communication). 13. Any computers or networking devices removed from service in the District must have the hard drives degaussed, re-formatted, or otherwise cleared of software and data before they can be sold, given away, or disposed of. In the case of switches/routers/etc., the configuration must be wiped. District-licensed software, confidential data, user-ids, passwords, and information that can be used to access M-DCPS network and/or mainframe systems left on these machines may fall into the wrong hands if steps are not taken to eliminate it. 14. Staff must be aware that technology is constantly evolving and changes may pose new threats in areas that previously were not an issue. Copier and printer technology has evolved to the point where there is wireless communication to these devices from computers and hard drives/solid state memory within the device may hold copies of all documents printed/ copied/ faxed. This means that wireless transmissions of confidential data whether printed or copied, can be intercepted and hard drives containing confidential information can be accessed. Devices with wireless capabilities should follow the same security rules as other wireless devices (see 4.2 Wireless Network Communications ). Devices with nonvolatile memory should have their memories cleared on a regular basis. At this writing the District s Purchasing Department is in the process of updating bids and contracts for these devices so that security is included by default. Although the bids and contracts may specify that hard drives be removed or degaussed by the vendor when the machine is being taken out of District use, local supervisors should confirm that this has been done. 15. Sites using the District s Simple Mail Transfer Protocol (SMTP) relay server must use it for the purpose explicitly listed when requesting approval. The IP address will be monitored and if use that is inappropriate or inconsistent with the requested access of the gateway is found to occur, ITS reserves the right to revoke this access. Page 10 of 10

13 4.1.3 Downloads and Internet 1. Games, chat sessions, peer-to-peer (P2P), and instant messenger applications are prohibited on the M-DCPS network unless there is a legitimate educational purpose and prior approval. These applications bypass network security such as anti-virus scans and therefore are a risk. Chat and instant messenger applications can tie up a great deal of bandwidth and may be used by students for many illicit purposes. In particular, students can easily be put in contact with persons who may be a threat to their safety. In cases where there is chat capability within a software package for vendor support purposes, users should only use this to work with support for the application. 2. MPEG files (including the MP3 and MP4 formats) are audio and video files digitized and/or compressed into a format that can be read and transferred by a computer. Downloading or storing files of these or any other formats without an instructional purpose is prohibited. These files, though greatly compressed, are still fairly large and can tie up a great deal of bandwidth and computer storage. In addition, most have been illegally copied and infringe on copyrights owned by the artists and record/movie companies (refer to section Network Structure, Hierarchy and Requirements, number 6, especially Copyrights). Users should be aware that record/movie companies are notifying the District when an MPEG file of copyrighted material has been downloaded and what location received it. 3. Streaming audio and video is basically the same type of data as MPEG but it is being sent in a continuous stream directly to the computer s media player rather than as a file for storage. This sort of streaming content uses large amounts of District bandwidth and, like the mpeg files mentioned above, may involve copyright infringement. For these reasons, streaming audio and video is also prohibited unless it has a valid educational purpose and site supervisor approval. 4. Skype and other Voice over IP (VoIP) applications are prohibited without a valid educational purpose and authorization. These applications consume large amounts of bandwidth and require client software that can introduce security vulnerabilities unless they are updated on a regular basis. In addition, the openings in the firewall required to allow access to SKYPE have been proven to provide easier access for hacker activities by exposing extra vulnerabilities. 5. Applications such as WebWhacker that allow a user to download all of the content from a Web page automatically, in large bursts, and without user intervention, are prohibited unless there is a valid District purpose, as they consume large amounts of bandwidth. 6. Hacking software has been designed to allow unauthorized persons to infiltrate computers on the network, view and modify data, and spy Page 11 of 11

14 on a user s keystrokes in an effort to get user-ids and passwords, among other things. ITS reserves the right to randomly scan or monitor any computers attached to the M-DCPS network in an effort to detect the presence of any "hacking software" or irregular operations that may be present on the network. ITS also reserves the right to disconnect any device or user on the network that appears to pose a threat or does not meet District compliance. Regarding the use of network administration software, users should be aware of the following: a. Improper use of scanning tools can corrupt system files, user account information, and databases. b. Hackers generally start their illicit activities by scanning networks searching for unprotected resources with these tools. c. Any scan of the M-DCPS network may appear to be the work of a malicious entity. d. Scanning anywhere in the M-DCPS WAN is traceable to the source and those responsible can be identified. Local Network Administrators may scan their own network within the framework of their assigned and authorized duties. Requests to scan the local network by persons who are not members of the site staff (whether it is a school or an administrative department) require approval from ITS. Under no circumstances will scanning outside the local network site, either of another LAN in M-DCPS or public or private networks outside M-DCPS, be permitted. All applicable local, state and federal regulations apply. It should be noted that, in the case of scanning networks outside M-DCPS, local and federal law enforcement officials are unable to tell the intention of illicit scanning and are therefore vigorously prosecuting all instances. This prosecution is generally independent of M-DCPS disciplinary activities. 7. Cracked software is software that has had its internal security broken (cracked) and has been made available to others. Cracked software is strictly prohibited. Page 12 of 12

15 8. M-DCPS Internet content filtering technology limits the kinds of Internet sites that can be viewed on the M-DCPS Internet connection. Pornography sites, sites advocating violence or bigotry, sites with games, hacking tools, and cracked software are examples of what will be blocked. There will be no bypassing of the M-DCPS Internet content filtering without ITS authorization. Software that bypasses filtering and other data security mechanisms includes AOL full-client and other Internet Service Provider (ISP) full-client applications. Installation of this software on District computers is prohibited without authorization. Internet content filtering audit logs showing Internet activity and sites visited by users may be reviewed at any time. 9. Network file shares should not be used for storing personal pictures and videos, and music files and M-DCPS will not be liable for any lost personal files Authorizations and Access 1. Certain applications are particularly sensitive and supervisors must be careful to adhere to District mandates regarding numbers of staff given authorization to update these applications. These mandates are issued by School Operations. The following is a list of applications that fall into this category: a. Mainframe academic grade update b. Grade Book Manager and Attendance functions c. Payroll data entry and approval d. Requisition data entry and approval 2. Site supervisors are reminded that staff authorizations are listed in the Authorizations for Employees by Location report (Product number T0802E0101) available through the Cntl-D Web Viewer on the Intranet. This report is now run monthly and has been expanded to include listings for each of the specific sensitive areas listed in number 1 above Users are reminded that the District Staff Policy (See section Network Structure, Hierarchy, and Requirements, number 6) requires individual users to keep all that is required to be kept by federal, state, and local statute. Accessing other users without authorization or valid District purpose is prohibited. The system is an application containing potentially sensitive information and users should take all precautions to protect it, including locking their computer and protecting their passwords as outlined elsewhere in this document. Page 13 of 13

16 ITS runs regularly scheduled backups that are intended to be used only for system recovery. They are not for archival purposes. These backups are kept for at least 10 days but no more than 3 weeks and are then deleted. (Note: at this writing, a School Board Policies revision project is underway. Board Policy numbers and contents may change. Check the District s home page to find the most current versions.) 4.2 Wireless Network Connections Wireless network components have become a very attractive alternative to cabling due to their low cost and relative ease of installation. If installed without proper security, however, they pose the same threat to our informational assets as if a hacker were able to plug directly into one of our network jacks. Users should observe the following: 1. Network installations with wireless components must maintain the highest level of security available. Older M-DCPS wireless installations should be updated with any vendor patches supplying improved security features. If the device has no approved security available, it must be replaced or removed immediately. New installations should use only products with highlevel encryption. In all cases, the installation s security features must be turned on. 2. All wireless installations must be approved and managed by ITS. This includes all school and administrative sites. All unknown, unapproved, or interfering wireless nodes will be subject to limited or no access. This includes removal, confiscation, and/or blocking of non-compliant nodes. Wireless nodes include, but are not limited to, wireless access points, wireless routers, ad-hoc devices, wireless printers, wireless storage devices, and other such wireless peripherals. 3. All wireless installations must be enterprise capable. This allows configuration and management to be handled remotely. A low cost, residential-type Access Point (AP) is not enterprise capable. In addition, all wireless installations must include surge protectors, with battery backups recommended. Experience has shown that security settings on wireless devices have been reset by lightening strikes or power surges. This means the security may have been turned off without the knowledge of staff. 4. Site supervisors and technicians should check that other staff does not install rogue devices. These devices become open doors to hackers seeking to get into the network. 5. Municipalities, houses and businesses around a site may provide accidental associations with their networks. Every effort should be taken to avoid tapping into outside wireless networks. 6. If adequate security cannot be achieved within the boundaries of the manufacturers built-in security mechanisms, a firewall should be placed Page 14 of 14

17 between the workstations and the Access Point (AP) in such a way that the transmissions have a high level of encryption (3DES, also known as Triple- DES, if possible). 7. When utilizing any outside wireless network or wireless service, Virtual Private Network (VPN) technology should be used. 8. New wireless installations in the ITS/SBAB core network must first be approved by ITS network administration staff. Information regarding the purpose and certification that the installation incorporates the highest level of security possible must be provided. 9. ITS is authorized to randomly scan or monitor for the presence of unauthorized, incorrectly configured, or insecure wireless devices connected to M-DCPS networks. ITS also reserves the right to disconnect any wireless device that appears to pose a threat to an M-DCPS network. District staff should be aware that because unsecured wireless devices are such a serious security concern, instances of non-compliance with these standards will be reported and unauthorized devices confiscated, removed, and/or blocked. 10. Staff should always purchases wireless devices through the M-DCPS bid process. Devices purchased through the bid are enterprise capable, have more industrial strength, and include surge protectors, installation, and support. Additionally, in some cases they are e-ratable and so the cost to the school may be about the same as the low-end devices purchased outside the bid. Check with an e-rate expert for details. 11. Because there is such a wide range of wireless devices, it is not possible to list all possible security options. However, at the very least, the following options should be set: the broadcast option should be turned off, except for an ITS approved and configured Service Set Identifier (SSID) connecting to a restricted BYOD wireless network, Wi-Fi Protected Access 2-PreShared Key (WPA2-PSK) with Advanced Encryption Standard (AES) encryption should be turned on, configured, documented, managed and/or otherwise approved by ITS, membership should be limited to those machines having id s defined as being authorized to join the network and having the correct network name, and all default passwords should be changed. No device can participate in an ad-hoc network or reside behind or act as a firewall or Network Address Translation (NAT) device while connected to an MDCPS network. Page 15 of 15

18 For more details, see the M-DCPS Wireless Security Tech Note at: 4.3 Portable Devices Use of laptop/notebook computers and Personal Digital Assistants (PDAs) has become more and more common in the District. Most now have network and wireless connectivity, video and voice functions, and significantly more powerful computing and storage capabilities. As with any components of the M-DCPS computer system, all security precautions must be taken to ensure that the informational assets of the District are not put at risk. Portable devices require extra attention because physical security for these devices is much more difficult to achieve. Users must be aware of the ease with which laptops and especially PDAs can fall into the wrong hands due to their small size and portability, and the resulting loss of security. Among the issues to consider are: 1. Wireless portable devices must have the same kinds of security discussed in section 4.2 Wireless Network Connections. Encryption must be set at a level that ensures network security and should be of a type that changes keys frequently. 2. Use of power-up and activity-timer passwords is required on PDAs and notebooks. 3. All portable devices, including PDAs, are susceptible to viruses and therefore should have anti-virus software installed. It should be set to scan s and attachments as well as regular files if available. Timely installation of patches to the Operating System (OS) will help ensure that the vulnerabilities exploited by viruses and Trojans are eliminated as the vendor uncovers and patches them. 4. Confidential data kept on any laptop or other portable device must be encrypted in the event the device is lost or stolen. Encryption of this nature can be provided as part of the hardware, part of the OS, or a 3 rd -party application and may be file-specific, folder-specific or whole-disk. Note that some versions of Windows Vista, 3 rd -party vendors and hard-drive manufacturers now provide these capabilities. Confidential M-DCPS data should be set to private and hidden on Palm or similar attributes while stored on another PDA. It can also be locked by 3 rd -party software. This includes sensitive memoranda, student or staff data, lists of passwords, home addresses and phone numbers of exempt staff, social security numbers, and credit card account information. Applications on these devices should have any available security features turned on. 5. Communications with the network via the Internet or Intranet must be secure and require a valid network id and password. Page 16 of 16

19 6. Network passwords are not to be saved on the device; they must be retyped with each network logon. Passwords should never be written or otherwise stored on the device itself or the carrying case. 7. If tokens (hardware or software) are utilized, the token should be carried separately from the device. 8. Mobile devices should never be left unsupervised in a location with public access. 9. Contact information should be provided at the log-in prompt so that a lost device may be returned if found. 10. Forgotten PDA passwords will require the user do a Hot Synch and a hard reset, which will cause all data entered since the last Hot Synch to be lost. Users should therefore run Hot Synchs on a regular basis as a form of backup. If possible, the District should standardize on a synching product. 11. PDAs that are used for M-DCPS business should be synched to the server if possible rather than the desktop to make sure the data is more secure and available to others in the department authorized to access it. 12. BlackBerry users should note the following: a. Passwords can be reset from ITS by notifying the ITS Systems Support Help Desk via HEAT Self-Service. b. If the device is lost or stolen, it should be reported immediately via HEAT Self-Service to the Help Desk. Steps can be taken by ITS to lock the device down and/or wipe the data on the device. If the device is found or returned, ITS can also restore the data once notified. c. Administrative applications available on the BlackBerry still require the use of the appropriate network and mainframe passwords. 13. Data on damaged PDAs should always be cleaned if at all possible before the device is sent to a repair facility or disposed of. 14. Bluetooth devices connected to PDAs and cell phones should have built-in security turned on as nearby Bluetooth devices may pick up their signals. 15. Apple iphones must have firmware version 2.0 or higher to connect to the network and users must turn on the Ask to Join Networks" setting, use VPN for any outside connection used, and set a pass code. 4.4 BYOD Bring Your Own Device A BYOD device is defined as a wireless end device (laptop, tablet, PDA, smartphone, blackberry, e-reader, etc.) not purchased or managed by M-DCPS, which is used by students, staff, parents, or others to connect to an M-DCPS approved public access wireless network. The BYOD network is defined as a wireless network physically and virtually separated from the MDCPS internal network. The device must be able to support security settings of WPA2-PSK with AES and authenticate against a web based Page 17 of 17

20 captive portal. A captive portal is an initial web page used on the District s BYOD network that requires users to sign in, review, and accept the District's Acceptable Use Policies before being granted access to the network. Each user must connect/authenticate with a unique district provided user account. No generic logins will be allowed. No unencrypted transmissions, peer-to-peer communications or ad-hoc networks will be allowed. Users must agree to the District s Acceptable Use policy. The District reserves the right to collect identifying information such as MAC addresses, serial numbers, etc. if necessary. For students, parents or guardians must sign a consent form. The District s BYOD network will be subject to best effort bandwidth and may be restricted and/or disabled if necessary. It will be configured to access internet resources only. BYOD applies only to the BYOD wireless network established and configured by ITS. No BYOD device will be permitted on the wired network. Only sites meeting the following criteria will be eligible for BYOD network implementation: ITS approved, configured, and managed Intrusion Prevention Systems; (IPS) device for BYOD; ITS approved, configured, and managed router for BYOD; Enterprise level wireless controller infrastructure. Wireless security on enterprise devices must include at least, captive portal, WPA2-PSK with AES, Virtual Local Area Network (VLAN), Access Control List (ACL), and firewall support. Page 18 of 18

Technology Department 1350 Main Street Cambria, CA 93428 Technology Acceptable Use and Security Policy The Technology Acceptable Use and Security Policy ( policy ) applies to all CUSD employees and any

MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

HIPAA Security Training Manual The final HIPAA Security Rule for Montrose Memorial Hospital went into effect in February 2005. The Security Rule includes 3 categories of compliance; Administrative Safeguards,

Pierce County Policy on Computer Use and Information Systems Pierce County provides a variety of information technology resources such as computers, software, printers, scanners, copiers, electronic mail

Valmeyer Community Unit School District #3 Acceptable Use Of Computers and Networks The Valmeyer Community Unit School District #3 Board of Education supports the use of the Internet and other computer

Odessa College Use of Computer Resources Policy Policy Date: November 2010 1.0 Overview Odessa College acquires, develops, and utilizes computer resources as an important part of its physical and educational

Valmeyer Community Unit School District #3 Acceptable Use Of Computers and Networks The Valmeyer Community Unit School District #3 Board of Education supports the use of the Internet and other computer

INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

2 of 10 2.5 Failure to comply with this policy, in whole or in part, if grounds for disciplinary actions, up to and including discharge. ADMINISTRATIVE CONTROL 3.1 The CIO Bureau s Information Technology

Acceptable Use Policy I. Introduction Each employee, student or non-student user of Greenville County Schools (GCS) information system is expected to be familiar with and follow the expectations and requirements

Network and Security Controls State Of Arizona Office Of The Auditor General Phil Hanus IT Controls Webinar Series Part I Overview of IT Controls and Best Practices Part II Identifying Users and Limiting

Information Resources Security Guidelines 1. General These guidelines, under the authority of South Texas College Policy #4712- Information Resources Security, set forth the framework for a comprehensive

White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE IT RESOURCES POLICY Effective December 15, 2008 State of Illinois Department of Central Management Services Bureau

Cyber Security Awareness William F. Pelgrin Chair Page 1 Introduction Information is a critical asset. Therefore, it must be protected from unauthorized modification, destruction and disclosure. This brochure

Information Security Risk Assessment Checklist A High-Level Tool to Assist USG Institutions with Risk Analysis Updated Oct 2008 Introduction Information security is an important issue for the University

is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file

Ten Deadly Sins in Wireless Security The emergence and popularity of wireless devices and wireless networks has provided a platform for real time communication and collaboration. This emergence has created

Tameside Metropolitan Borough Council ICT Security Policy for Schools Adopted by: 1. Introduction 1.1. The purpose of the Policy is to protect the institution s information assets from all threats, whether

Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

Sample Policies for Internet Use, Email and Computer Screensavers In many of its financial management reviews, the Technical Assistance Section has encouraged municipalities to develop and adopt policies

Introduction Manage Engine Desktop Central is part of ManageEngine family that represents entire IT infrastructure with products such as Network monitoring, Helpdesk management, Application management,

To view the complete Information and Security Policies and Procedures, log into the Intranet through the IRSC.edu website. Click on the Institutional Technology (IT) Department link, then the Information

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING The following is a general checklist for the audit of Network Administration and Security. Sl.no Checklist Process 1. Is there an Information

CLIENT VPN New York State Office Of Children & Family Services New York State Office of Children & Family Services (OCFS) Client Virtual Private Network (VPN) Access to the Human Services Enterprise Network

Use of ESF Computing and Network Resources Introduction: The electronic resources of the State University of New York College of Environmental Science and Forestry (ESF) are powerful tools, shared among

Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support,

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL 1 INTRODUCTION The County of Imperial Information & Technical Services (ITS) Security Policy is the foundation of the County's electronic information

Department of Information Technology Active Directory Audit Final Report August 2008 promoting efficient & effective local government Executive Summary Active Directory (AD) is a directory service by Microsoft

Category Question Name Question Text C 1.1 Do all users and administrators have a unique ID and password? C 1.1.1 Passwords are required to have ( # of ) characters: 5 or less 6-7 8-9 Answer 10 or more

Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

Appendix H: End User Rules of Behavior 1. Introduction The Office of Management and Budget (OMB) has established the requirement for formally documented Rules of Behavior as set forth in OMB Circular A-130.

WHITE PAPER SECURITY BEST PRACTICES FOR CISCO PERSONAL ASSISTANT (1.4X) INTRODUCTION This document covers the recommended best practices for hardening a Cisco Personal Assistant 1.4(x) server. The term

Last updated: March 4, 2014 Stable and Secure Network Infrastructure Benchmarks 501 Commons has developed a list of key benchmarks for maintaining a stable and secure IT Infrastructure for conducting day-to-day

TVS CableNet Technical Support Guide Effective August 15, 2006 All materials 2006 TV Service, Inc. This material may not be reproduced in any form except for personal private use by TV Service Cable Internet

Lectures 9 Advanced Operating Systems Fundamental Security Computer Systems Administration TE2003 Lecture overview At the end of lecture 9 students can identify, describe and discuss: Main factors while

System Security Plan University of Texas Health Science Center School of Public Health Note: This is simply a template for a NIH System Security Plan. You will need to complete, or add content, to many